I track people who are disrupting the world of mobile technology. Non-conformists, innovators and agitators are this blog's unsung heroes, from entrepreneurs to scientists, to rebellious hackers. I'm the author of "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency", (Little Brown, 2012) which The New York Times called a "lively, startling book that reads as 'The Social Network' for group hackers." I recently relocated to Forbes' San Francisco office, and was previously Forbes' London bureau chief from 2008-12, interviewing British billionaires like Philip Green and controversial figures like Mohammed Al Fayed; I wrote last year's billionaires cover story on Russia's Yuri Milner, and have broken stories like the Facebook-Spotify partnership in 2011. Before all this I had stints at the BBC and as a radio journalist. You can watch me on 'The Daily Show' here. If you have a story idea or tip, e-mail me at polson@forbes.com or follow me on Twitter: parmy.

Forget Passwords. Now Banks Can Track Your Typing Behavior On Phones

Danske Bank's mobile app can now verify users based on the pressure and rhythm of their keystrokes.

Password theft is an ongoing problem. Finger print and voice recognition is still years away. What’s a bank to do if it wants to verify the thousands of customers using its mobile app? One way is their behavior — or at least their typing behavior.

Banks in Europe’s Nordic region have begun rolling out a new kind of security technology for their mobile apps that tracks the pressure and speed of how customers type a pin number into their smartphones. This way even if a friend knows someone’s pin, they wouldn’t be able to get in thanks to all the automatic nuances in the way people type, such as rhythm and pressure on the keys.

“We’re monitoring the small stuff,” says Neil Costigan, founder of Behaviosec, the Swedish security startup behind the recent roll-out. “The flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?”

Nordic banks including Danske BankDanske Bank have trialled Behaviosec’s tracking technology and found it worked so well that by the end of the year, every Internet bank user in Sweden, Norway and Denmark will be doubly verified by their typing behavior, not just their pin number, Costigan claims. He can’t name his banking clients due to contractual obligations but claims millions of people will be tracked by the technology.

The startup claims a high success rate on verification: it reached 99.7% session accuracy when it trialled its behavior-tracking technology in conjunction with a pin number for Danske Bank. Now it says it’s seeing interest from U.S. payments providers and smartphone manufacturers themselves.

If the technology takes off, it could add a whole new layer of security for apps and phones that would be much harder for fraudsters to rip off. Hackers can put millions of user accounts at risk by raiding a database of passwords, but it’s far harder to spoof someone’s typing behavior remotely, especially on smart phones.

The goal according to Costigan, who founded Behaviosec in 2011 as a spin-off from the Lulea University of Technology in Sweden, is to build the technology into smartphones so that the entire device becomes contextually aware of who’s using them, just by tracking keystroke styles. It could know for instance, if a child has picked up a tablet and started browsing YouTube videos or important files.

In trials right now, Behaviosec’s algorithms can detect a false user in between 20 to 60 seconds of them picking up a smartphone, says Costigan. That’s probably too long for professionals who want to protect intellectual property, but recent funding from DARPA could bring that time down. Behaviosec’s latest research takes into account how people hold and move their phone — based on data from a device’s gyroscope and accelerometer — to authenticate users even more quickly.

In its current form, the technology works by first watching how someone types or swipes through a pin code on, say, a mobile banking app. After a while it builds a model of that person’s behavior which it then uses to weigh up against new users.

“It’s constantly learning,” says Costigan. “The behavior is always watched and your profile is constantly updated… The way you would normally do this in the past was a statistical analysis and you would map and make up models of people.”

But the machine learning technology behind this has since jumped forward thanks, surprisingly, to the gaming industry. Modern day computer games increasingly incorporate artificial intelligence technology to learn about a player’s behavior to make games more fun to play. In other words, walk down a corridor and turn left five times and the sixth time there will be a bad guy to trying to shoot you.

“The game learns your behavior and adapts to it,” says Costigan. “We do similar stuff. We watch your behavior and predict what it should be, and if it’s not that we can flag something up and say, ‘Hey something’s not right.’”

Though Costigan talks about developing “profiles,” he says it’ll be years before computers have the somewhat worrying power to identify you out of thousands of others, based on how you type. It’s one thing to say who someone is not, another to recognize who someone is. “It could get to that point,” he says, “but it’s the distant future and would take an enormous amount of memory and computation.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.